SSL client certificates

I'd like to use SSL client certificates for one virtual host on a Debian (Lenny) Ispconfig2 web server.
I have already done the 'proof of concept', which means that I enabled SSL for the web, put a http to https redirection into the 'apache directives' textfield and then manually altered the Vhost_ispconfig.conf file to the desired settings. Everything works fine so far.

The only drawback (of course) is that all settings are lost as soon as I alter anything in the ISPConfig GUI .

I tried putting it into the "Apache Directives" field, but I noticed that the contents of this field are put into both the :80 and :443 parts of the Vhost_ispconfig.conf entries for the web. I thought that I cannot do it that way.

Do I have to to it in a special way? Can I direct the entries to just the :443 part of the config? And where to put the https redirection then?

This is what I put into the :443 part of the webs vhost entry at the moment:

OK, so be it. ;-) The howto is a bit longish, but on the other hand it should be easy to follow.
It is based on a howto you can find here http://www.jfranken.de/homepages/johannes/vortraege/apache_inhalt.de.html#ToC18.
I only made it work in combination with ISPConfig.
Please note I am not an SSL certificate or security expert, so I am not liable for problems that might occur using this howto!Any hints or corrections are highly welcome!

Step 1: Setting up the root certificate authority

At first you need a certificate authority (CA) to sign your certificates. In this howto we create the CA ourselves. (BTW: You only need to do this once on your server.)

[B]$ openssl req -new -x509 -days 365 -keyout private/cakey.pem -out cacert.pem[/B]
Generating a 1024 bit RSA private key
..........++++++
........................++++++
writing new private key to 'private/privkey.pem'
Enter PEM pass phrase: [B][Passwort][/B]
Verifying - Enter PEM pass phrase: [B][Passwort][/B]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:[B]CA[/B]
Common Name (eg, YOUR name) []:[B]John Doe Limited CA[/B]
Email Address []:[B][email protected][/B]

In this step the root certificate (cacert.pem) and a passphrase-secured private key (cakey.pem) are created.

Beware:
To the most of you this may be obvious, but I have to warn the others: the passphrase is needed to sign or withdraw your client certificates. So you must not lose it or give it to others!

We also generate a certificate revocation list (cacert.crl). This file is needed to mark certain certificates expired or invalid.

This must be done for each web you wish to equip with client certificate authentication.

We have to generate a certificate in ISPConfig to 'engage' SSL for the web (a port 443 paragraph will be added for the web in the Vhosts_ispconfig.conf).

Login to the ISPConfig GUI and open the web you wish to modify (johndoelimited.com in this case).
Activate the SSL checkbox (do not mix up with the SSI checkbox!) and save. A new SSL tab will become visible (after navigating back to the web).
Go to the SSL tab and enter the certificate data (it does not correspond to the client certificates, so you do not necessarily need to enter the same data).
In this example we enter:Country: Germany
Province: Hessen
Town: Frankfurt
Company: John Doe Limited
Department: webhosting
Validity (days): 365

Choose "create certificate" from the selectbox below and save.
Wait for a moment and go back to the SSL tab. Now you see a certificate has been generated and put into the corresponding text boxes.

Go back to the basic settings of the web and put the following into the "apache directives" field at the bottom and save:

In this configuration "John Doe" is the only user accepted for accessing the web. So we need to generate a client certificate for that name.

The access to the web can be controlled via this configuration.
The first three lines are just a redirection, which will put all http requests to https.
The next three lines define the certificate authority (CA). It must match the client certificate's signing.
The location tag defines the access to the web. In this case the whole web can be accessed, if you own the correct certificate.
You also could protect certain folders by adding further location tags (<Location /some-folder>)
The most interesting line inside the location block is SSLRequire. It defines what data must be contained in your client certificate to be accepted. Here it only accepts the name "John Doe". (I will not explain further configuration examples, use google to find out more!)

The configuration of the web is finished here, so we can go back to the console.

Step 3: Generating client certificates

This step must be done for every user of the secure web.

The generating of certificates is done in two steps:
First we generate a certificate signing request file (CSR). Then the request needs to be signed by the certificate authority (we created in step 1)

Code:

[B]$ cd /etc/ssl
$ openssl req -new -nodes -days 365 -out jdoe.csr -keyout jdoe.key[/B]
Generating a 1024 bit RSA private key
...............++++++
....++++++
writing new private key to jdoe.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Locality Name (eg, city) [Frankfurt]:
Organization Name (eg, company) [John Doe Limited]:
Organizational Unit Name (eg, section) []:[B]Webhosting[/B]
Common Name (eg, YOUR name) []:[B]John Doe[/B]
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Passwort]
An optional company name []:

Now the PFX file is converted and locked with the given password. You find it here: /etc/ssl/1001.p12
Give this file and password to the corresponding user.

To install it on a client PC, you right click the p12 file and choose "install" from the context menu. Then it will work at least in Internet Explorer.
For making it work in Firefox you have to start Firefox, choose "tools -> options -> advanced. Choose "view certificates". Choose "your certificates" and click on "import". choose the p12 file and enter the corresponding password. (Note: if you have set up a master password, you will be asked it first!).

Most of the manual work you can get 'automated' or 'built-in'. The apache 2 plugin contains the exec call's for the certificate creation, and using opensssl ca -batch does not ask any question, therefore it can be built in completely.

Back to the most interesting ...
.. what came to my mind is now, to identify ISPConfig 3 users with certificates ...